I found inspiration for this blog while listening to the “How Do You Know if You’re Good at Security?” podcast on an early morning walk recently. The hosts and guests of the podcast, “Defense in Depth,” talked about risk management and metrics that security leadership might use to determine whether they are secure. They talked about reporting structures and what upper management might like to know to understand security and risk.
They even mentioned trust – that amorphous, difficult to define concept we try to apply to brands and to measure from our customers. Thank you to David Spark (@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO for LinkedIn, and their guest Justin Berman (@justinmberman), former CISO of Dropbox for their insights in their latest podcast. (We share a Slack channel in common and I count them as masters at whose feet I often sit for inspiration and education [#tinkerers]).
If you listen to the podcast episode, you’ll see that the gents cover a lot of ground. I would add 2 points to their discussion:
- A further fleshing out of trust because I think in the new digital era and especially post-COVID, trust is rapidly becoming something businesses cannot do without, and
- A prediction from the IDC FutureScape: Worldwide Future of Trust 2021 Predictions about crowdsourced risk management and how automation will be essential in making this a reality. “By 2023, collective risk management requirements between primary and third parties will force 50% of third-party risk and security service providers to employ advanced analytic tools.”
The Five Pillars of Trust
Trust is a concept IDC has taken on within its Future of X practices or FOX practices. I sit on the Future of Trust Council. It defines trust within five pillars (see below): risk, compliance, privacy, security, and social responsibility and ethics.
Risk and Risk Management: The Foundational Layer of Trust
As we see in this figure, risk is foundational. Without an understanding of risk and appropriate management of risk there is no trust. The Future of Trust defines security and compliance as compulsory, but nearly foundational as well. The strategic layers are privacy and ethics and social responsibility.
Allow me to bend your ear about the foundational layer of risk and how without it trust cannot exist. And, let’s make a connection between the intemporal and abstract nature of risk. While risk can be somewhat quantified and perceived as linear, it is not a one-size fits all. One organization’s risk posture cannot and should not equal another’s.
Risk will depend on industry, size, type of customer data as well as its IT architecture (on premises, cloud native, multicloud…). Risk posture is also determined by business need. Some businesses will perhaps need less hardened security and be less concerned with risk, while others will batten down all the hatches they can and be strongly risk averse. Historically risk has been a business function – even solely a finance function. But over time cybersecurity has crept in because of business impact and financial loss from breaches.
The Intersection of Risk and Trust
Where does this intersect with trust then? Consider the Target breach in 2013. Target’s CEO stepped down after the company lost 40M credit and debit cards of their customers to the attackers, and profits dropped 46% year-over-year compared with the same quarter. Two years later, the only evident long-term effects were increased awareness, regulation and spending. Did the customer stop shopping at Target? No. While many postulate that Target lost consumer trust, I have yet to find evidence.
Fast forward to 2020 and the year of Covid-19. Consider your own relationship with companies that didn’t enforce proper hygiene or wearing masks. Consider airline CEOs who wrote emails promising empty middle seats, enforced mask-wearing, and temperature-taking only to see those same airplanes crowded with full middle seats and unmasked passengers on the local news.
Consider the local restaurants where you had to elbow your way through a crowded waiting area to sign a credit card to pick up your takeaway dinner advertised as “touchless”. Now on the flip side, think about a good experience like a retailer offering curbside pick-up and sending messages to your cell phone when your order is ready, allowing you to say you’re on your way and to describe your car to deliver to. Now who do you trust?
Here’s the connection. Those companies that pivoted fast in the beginning days of the pandemic to put the customer’s safety first are the ones we trust. Had they done a risk tolerance exercise prior to the pandemic? I don’t know, but I bet they’re doing one now (and we will have data on this soon). The better we know our short-comings and potential failings in a worst-case scenario the faster and the more comprehensively we can react. This calms the nerves of our customers.
Crowdsourced risk management is the intersection of outsourcing risk management identification and monitoring to employees, stakeholders beyond governance, risk and compliance (GRC) and security teams and, well, frankly, to masses of internet users and companies. It calls upon all of us to keep each other safe and to identify potential risks.
To bring this back to the podcast I listened to, not everyone looks at risk in the same light, nor with the same potential business impact, so imagine if others in your industry thought something was risky and shared that with you thereby raising your awareness to it? This happens in the FS ISAC consortium today, but it doesn’t happen consistently and broadly enough unless you create trust circles for risk and threat telemetry in a threat intelligence platform or TIP.
This is a start, but imagine engaging everyone in your company and industry and frankly, everyone across the internet masses, to ring the alarm bell when there’s danger. This is what crowdsourced risk management is meant to do, but it’s hard. It certainly takes advanced analytic tools like machine learning and automation. Robotic process automation is perhaps too basic an example, but what RPA did for streamlining human tasks, automation of crowdsourced risk management will do in future. Just think of SEC filings, which have been highly manual until recently. In fact, a survey now 6 years old by the World Economic Forum’s Global Agenda Council on the Future of Software and Society states that 75% of their respondents will shift 30% of all corporate audits to AI by 2025 (I wish they would repeat this study).
Risk and Trust services are two key initiatives in my wheelhouse this year. Please join me and the Future of Trust team on March 9th at our virtual client event, IDC Directions, for an interesting discussion of trust, risk and security. Learn more about the full IDC Directions events and register for March 9 and 16.
Looking for more insights into how to effectively measure and quantify cybersecurity risk and its impact to the business? Lean more about IDC’s Risk Advisory Management and Privacy (RAMP) program:
Business leaders and technology suppliers need to develop a greater appreciation for trust and its importance to establishing and maintaining customer loyalty. Explore how to foster that loyalty through enterprise trust in IDC’s white paper, “The Condition of Trust: Focusing on Trustworthiness in a ‘Post-Truth’ World”: